VPN, Ad Blocker Provider Caught With Hand in the Data Jar

By John P. Mello Jr.
Mar 11, 2020 4:00 AM PT

A number of VPN and ad-blocking apps owned by Sensor Tower, a popular analytics platform, have been collecting data from millions of people using the programs on their Android and iOS devices, BuzzFeed reported Monday.

The software involved includes Free and Unlimited VPN, Luna VPN, Mobile Data, Adblock Focus for Android devices, and Adblock Focus and Luna VPN for iOS hardware, BuzzFeed found. The apps have been collecting data and feeding it to Sensor Tower's products without disclosure to users.

After it contacted Apple and Google about the apps, BuzzFeed said, Adblock Focus was removed from Apple's online store and Mobile Data was scotched from the Google Play store.

After a Sensor Tower app is installed on a phone, it instructs a user to install a root certificate, which is software that can access all data passing through a phone, BuzzFeed explained.

Accessing root certificate privileges is restricted by Google and Apple because it poses a security risk to users, BuzzFeed noted. However, Sensor Tower's apps bypass those restrictions by having users install the root certificate from an external website after an app is downloaded.

Sensor Tower said it only collected anonymized usage and analytics data for integration into its products, according to Buzzfeed. Those products are used by developers, venture capitalists, publishers and others to track the popularity, usage trends and revenue of apps.

Sensor Tower did not respond to our request to comment for this story.

Reasonable Expectations

Sensor Tower's business practices aren't that unusual, especially in the free software field.

"I think that consumers in general don't have much of a sense of what happens with their data," observed Greg Sterling, vice president of market insights at
Uberall, a maker of location marketing solutions based in Berlin.

"They're increasingly concerned about privacy but they feel generally powerless to do much about it," he told TechNewsWorld.

"Any company that uses the language of privacy -- as in virtual private cetwork -- in its product description or marketing does create an expectation of privacy about the consumer's identity and transmission of data to third parties," Sterling continued.

"This is why the consumer is using a VPN in the first place, to maintain secrecy or privacy," he added.

While the expectation of privacy when using a VPN may seem obvious to users, it's less so to app developers, noted Drew Schmitt, an incident response consultant for
The Crypsis Group, a security advisory firm with offices in Washington D.C., New York, Chicago, Austin and Los Angeles.

"From my view, the expectation of privacy is reasonable. However, I think that most businesses that offer a 'free' product wouldn't necessarily agree," Schmitt told TechNewsWorld.

"I think the tendency for these types of businesses is to justify the actions of selling data by focusing on data that is not 'sensitive' by definition," he continued. "At the end of the day, though, all of these small, seemingly insignificant data points add up to being able to target individuals in some way, which ultimately ends up being fairly sensitive."

Ethical Debate

People need to remember what a VPN is, said Matias Katz, CEO of
Byos, an endpoint security solutions provider in Halifax, Nova Scotia, Canada.

"When using any VPN service you are sending all of your data to another data center before it reaches the Internet," he told TechNewsWorld.

"If I am managing my own VPN server, that's fine because I own the server and the data," Katz continued.

"If I'm sending my data to a third-party like Sensor Tower, whether or not they tell me my data is or isn't being collected, I have no way of knowing what goes on inside of those data centers," he said. "There is no way to verify what's true or not, and the hard truth is commercial VPNs are unregulated, and it's extremely difficult to verify what happens to our data."

Although trading app access for data is a common practice, experts are divided about the ethics of Sensor Tower's methods.

"If you are receiving a service in return for information being captured about you then it could be called ethical," said Brian Chappell, director of product management at Carlsbad, California-based
BeyondTrust, a maker of pivileged account management and vulnerability management solutions.

"There's nothing really unethical about trading data for services as long as all parties are fully aware of the arrangement," he told TechNewsWorld.

"Sensor Tower's data collection is not ethical by any means," maintained Harold Li,
vice president of
ExpressVPN, a high speed VPN provider in Tórtola, British Virgin Islands.

"Sensor Tower is using VPNs and ad blockers, which are tools meant to protect user privacy, to get users to install root certificates that bypass standard security measures by Android and iOS to access and mine data and traffic," he told TechNewsWorld.

"Most users assume ad-blocking and VPNs will improve their privacy, not worsen it," he told TechNewsWorld.

"These apps prey on people who want something for nothing and don't take the time to read privacy policies or review permissions," Bischoff said.

Consumer, Protect Thyself

One way consumers can protect themselves from data greedy apps is by reading their privacy policies, Bischoff noted.

"If they don't explicitly state that they don't collect and share data, assume that they do," he said. "Consumers should be particularly wary of free apps, which often have no other means of generating revenue."

Consumers can protect themselves by limiting the number of applications they install from unknown developers, and by using only trusted app stores, suggested Jack Mannino, CEO of
nVisium, a Herndon, Virginia-based application security provider.

It's not wise to put too much stock in download and review information, he cautioned.

"While the number of installs and positive reviews can be an indicator of legitimate software, in this case millions of users unknowingly opted into this," Mannino told TechNewsWorld.

One note of encouragement is that consumers are not as powerless to control their data as they used to be, said Ameet Naik, a security evangelist with
PerimeterX, a Web security service provider in San Mateo, California.

"As of January 2020, consumers now have the option of opting out of data collection," he told TechNewsWorld. "Look for the 'Do Not Sell' link on the vendor's website and exercise your opt-out right under the CCPA (California Consumer Privacy Act) if you suspect your data has been misused."

Consumers have a right to be informed about any of their data that is being harvested by any software they install, said Ben Williams, director of advocacy at
Eyeo, maker of AdBlock Plus, in Cologne, Germany.

"With the developments around privacy we've witnessed recently -- the death of third-party cookies, GDPR, CCPA -- this would seem an old lesson by now. Guess not," he told TechNewsWorld.

"What we forget when we talk about the browser actions and legislation that ostensibly caused these developments is that it was the consumer who demanded more control," Williams said. "Just listen to them."

John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News. Email John.